9 important actions for GDPR-compliance

Expert view
It has been more than four years since the EU adopted the General Data Protection Regulation (GDPR). Now everyone who builds apps must comply with the privacy regulations or face fines of up to 20 million euros. So here's our GDPR compliance guide for software developers and entrepreneurs.

Are you GDPR compliant?
Check the following criteria to see if your solution falls under the privacy rules:
  • Are EU citizens using your solution?
  • Does your website have a subscription feature?
  • Do you have comment sections?
  • Can users log in to your site using a third-party app?

If you answered yes to at least one question, congratulations, you are definitely a GDPR candidate. So you'd better start reading about how to be GDPR compliant.

Read on: everything you need to know about GDPR software requirements and how to prepare your company for the new age of privacy.

How to ensure GDPR compliance?
1. Think about whether you really need all the data you collect.
The first step to creating GDPR-compliant software is to verify what personal data it's storing.

Do you really need them?

The best course for a privacy-conscious future is to collect only the necessary minimum of personal data.

2. Encrypt all personal data
Encryption encrypts data in such a way that it becomes unintelligible to those who don't have the keys to decrypt it. While this is often cited as a key factor in GDPR compliance, the word "encryption" is only mentioned 4 times in the text of the GDPR:
  • "...apply measures to mitigate these risks, such as encryption." (P51. (83))
  • "...appropriate safeguards, which may include encryption" (P121 (4.e))
  • "...including, but not limited to, as appropriate: (a) pseudonymization and encryption of personal data." (P160 (1a))
  • "...incomprehensible to any person not authorized to access it, such as encryption" (P163 (3a)).
As any cybersecurity expert will tell you, data breaches are inevitable.

In July 2015, hackers attacked Ashley Madison and stole more than 25 GB of personal data from an adulterer dating site.The information, including names, email addresses and addresses, was stored in plain text, allowing anyone to track down potential cheaters. This negligence led to a wave of blackmail, ruined careers and broken marriages.The site owners had to pay more than $11 million to settle subsequent lawsuits.In addition, at least three people committed suicide because of the Ashley Madison hack.

3. Get your consent forms in order

Forget about any forms with pre-checked boxes.
Your consent forms should default to "no" or be blank. That way, you're not forcing users to actively opt out. Implement granular opt-in.
As a website owner, you want to reach out to your customers from time to time for marketing purposes. You need to ask for explicit consent for each type of data processing.

This means that if you want to send out promotional materials via email, phone and mail, your consent form should contain three separate fields. If you only need an email address for marketing, marketing consent is sufficient. But if you're using personalization, segmentation or targeting, you'll need both marketing consent and consent (or legitimate interest) to collect and profile any additional behavioral or demographic data.

4. Clarify third-party information
If you share your customers' personal data with third parties, you should accurately identify and name each of those parties on your consent forms.

Each consent has a different checkbox.
However, in this case, you would have to refuse permission instead of consent, which is a big NO under GDPR.

Giving third parties access to your users' personal data for analytics or other purposes is definitely a bad idea.

According to more than 300 industry experts, most users don't want third parties approaching their personal data.

5. Make the Terms and Conditions section highly visible
Under GDPR, you're no longer allowed to hide your Terms and Conditions or bury them in fine print. According to the regulations, the following scheme is no longer appropriate:
Users will have to confirm that they have read and agree to the Terms and Conditions before accessing your app.

6. Make sure users can easily withdraw their consent
Due to the new GDPR principle of "Right to be Forgotten," users should be able to unsubscribe and withdraw their consent at any time. If, for example, you send newsletters to your customers, your links and emails should include an "unsubscribe" feature.

7. Change your cookie policy
The GDPR white paper refers to cookies in the following context (recital 30): individuals may be associated with online identifiers [...], such as Internet Protocol addresses, cookie identifiers, or other identifiers [...]. This can leave traces that, in combination with unique identifiers and other information obtained by servers, in particular, can be used to create profiles of individuals and identify them.

Since 2020, you should either avoid using such cookies or find legitimate reasons to collect and process personal data:
  • Legal Obligations
Legitimate interests (as long as they do not violate an individual's rights);
Requirements to fulfill a contract (e.g., collecting payment data from counterparties).
  • User Consent.
According to the GDPR, the first visit to your site does not automatically mean you consent to the processing of personal data. Even if you display "If you use this site, you accept cookies," a case of consent is not considered "freely given" (Article 42).

Granular consent still applies, so if you want to track visitors' behavior and use their data for advertising, you have to get consent for every action. You'll also have to give visitors the ability to easily withdraw their consent.

Remember that you can't block access to your site for users who have withdrawn their consent. And after they log out, you will have to destroy their cookies and sessions.

8. Delete all personal data after it's transferred to payment gateways
This is a very important step for e-commerce applications. If you use payment gateways, you are likely collecting personal customer data. In most cases, this data stays on your system. This is illegal under data protection regulations. Your app must delete all of your customers' personal data within a certain period of time (e.g., 60 days).

9. Give users the option to opt out of tracking your business intelligence
E-commerce sites often track visitor behavior and tastes to improve their recommendations. Under the GDPR, such activities require clear and explicit consent. You will also have to tell users how this data will be stored in your systems and for how long. If a user refuses to be tracked, you must respect their choice.

Bottom line
Now you know how to become GDPR compliant. In a future where everyone cares about privacy, the ability to ensure that your application is secure and transparent will be a huge advantage. You can use this GDPR compliance checklist to develop software to rise above the competition and carve your niche in changing markets. And if the task seems too daunting, you can always rely on Defendocs to take care of GDPR compliance for your software.